From amjudge@dsg.cs.tcd.ie Wed Nov 30 04:47:08 1994 Received: from longvalley.dsg.cs.tcd.ie (longvalley.dsg.cs.tcd.ie [134.226.36.37]) by freefall.cdrom.com (8.6.8/8.6.6) with SMTP id EAA15891 for ; Wed, 30 Nov 1994 04:43:51 -0800 Received: from janis.dsg.cs.tcd.ie by longvalley.dsg.cs.tcd.ie id aa22024; 30 Nov 94 12:43 GMT Received: (from amjudge@localhost) by janis.dsg.cs.tcd.ie (8.6.9/8.6.9) id MAA22796; Wed, 30 Nov 1994 12:43:39 GMT Message-Id: <199411301243.MAA22796@janis.dsg.cs.tcd.ie> Date: Wed, 30 Nov 1994 12:43:39 GMT From: Alan Judge Reply-To: amjudge@dsg.cs.tcd.ie To: FreeBSD-gnats-submit@freebsd.org Cc: amjudge@dsg.cs.tcd.ie Subject: Security bug in password expiry X-Send-Pr-Version: 3.2 >Number: 32 >Category: bin >Synopsis: Bug in password expiry allows users to change other passwords >Confidential: no >Severity: serious >Priority: medium >Responsible: core (FreeBSD core team) >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 30 04:50:02 1994 >Closed-Date: Wed Nov 30 14:42:47 PST 1994 >Last-Modified: >Originator: Alan Judge >Release: FreeBSD 2.0-RELEASE i386 >Organization: Trinity College, Dublin, Ireland. >Environment: FreeBSD 2.0 installed with minimal changes. >Description: It would seem that the password expiry code (in login) gets confused. Or maybe the code in the exec'ed passwd. Anyway the net effect is that you get presented with something like: FreeBSD (janis.dsg.cs.tcd.ie) (ttyp2) login: testuser Sorry -- your password has expired. Changing local password for amjudge. New password: Note that passwd is changing the password for a different user. Note also that it doesn't prompt for the old password. The user it picks seems to vary. When I tried a console login, it offered to change root's password! I also note that you can interrupt the passwd change and login anyway without changing password. >How-To-Repeat: Add a line like: testuser::1000:200::2000:0:test user:/tmp:/bin/csh using vipw, and login as testuser. >Fix: Dunno. >Release-Note: >Audit-Trail: State-Changed-From-To: open->closed State-Changed-By: davidg State-Changed-When: Wed Nov 30 14:42:47 PST 1994 State-Changed-Why: This bug was fixed by Ugen; basically, added a setuid before forking the passwd and also checking the return status to make sure the user really did change it. >Unformatted: